Tech —

F-Secure reveals potential exploit for OS X

While only a proof-of-concept, iAdware may have the potential to do more than …

Just days after the potential .dmg file exploit was revealed in the Mac media, another latent flaw in OS X has been demonstrated. F-Secure has announced they received iAdware, an adware prototype that "successfully launched the Mac's Web browser" from other applications. Unfortunately, F-Secure plays the tease on details, giving few hints on exactly how this exploit works.

We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user. Especially as it only requires Copy permissions. An Admin could install this globally to all users.

It's likely this "feature" could be some kind of rogue Input Method made available to Cocoa applications, but without opening browser windows showing images of women doing unnatural acts—think context menu add-ons instead. John Gruber at Daring Fireball wrote a thorough and verbose article on Smart Crash Reports from Unsanity, in which he explored potential issues with that particular Input Method and the potential for "automatic" installation.

When an app that uses this API call launches, it checks to see if Smart Crash Reports is already installed (or if there’s an older version installed), and if not, installs it. It does not ask permission beforehand, nor does it report what it has done afterward.

This happens each time the app launches. So, if you notice the Smart Crash Reports input manager and trash it, the next time you launch the app, it will replace it.

Full disclosure requires that I say I love Unsanity and use their products, and that I have SCR installed—but this thing sounds kind of scary to an AOLperson. What's worse is that—like the .dmg file exploit—Apple must know that the Input Method feature could be turned into an exploit, and it is likely they have known for some time. While I enjoy security through obscurity as much as the next Mac user, I expect more from Apple. Is it going to take some kind of security debacle, either actual or in terms of public relations, to get Apple Computer to, well, start taking security as seriously as Microsoft?